Windows Identity Foundation (WIF) is a security feature that offers broad functionality. Federated authentication, claims based authorization, token transformation to name a few. But only because WIF is a security feature does not make it secure and safe by default. To improve and strengthen WIF’s security it is useful to understand the threats associated with it and map the countermeasures that mitigates the threats. This is the list of Threats and Countermeasures for claims aware ASP.NET Web Applications distilled from existing WIF documentation. If you have more to add – feel free to submit in comments below.